Re: [Samba] rsync folder permissions
On 24/07/12 13:49, Thomas Mueller wrote: Am Mon, 23 Jul 2012 13:57:56 +0200 schrieb steve: H Yes. I was missing the -a switch: rsync -auzv source destination works fine but I found that the owner and group are not synced until the last moment. Impatience perhaps. Cheers, Steve you should also consider -X (xatters) -H (hardlinks) and -A (ACL's). - Thomas Hi Thomas Would that be: rsync -auzvXHA source destination Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7: block an OU from the control panel
Hi In XP this is very easy to do by right clicking the OU and selecting properties-GPO. I've searched and tried but I can't get a way to do it in w7. Does anyone have a step by step? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: 2DC domain. Which ldap:// address do I use, DC1 or DC2?
2 Samb4 DC's joined and replicating great. Hi I'm running some Linux scripts on DC2 which I copied from DC1. I changed the ldap://address for a script which I copied to DC2 to that of DC2. If I now deliberately failover DC1, the script on DC2 complains that the ldap addresss is invalid. Do I keep the scripts at the same ldap://address on BOTH DC's? Is, that correct? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: 2DC domain. Which ldap:// address do I use, DC1 or DC2?
On 30/07/12 01:14, John Drescher wrote: On Sun, Jul 29, 2012 at 11:43 AM, steve st...@steve-ss.com wrote: 2 Samb4 DC's joined and replicating great. Hi I'm running some Linux scripts on DC2 which I copied from DC1. I changed the ldap://address for a script which I copied to DC2 to that of DC2. If I now deliberately failover DC1, the script on DC2 complains that the ldap addresss is invalid. Do I keep the scripts at the same ldap://address on BOTH DC's? Is, that correct? I put both ldap servers (actually in my case 3 ldap servers and 3 DCs) on that line on both DCs. John Hi John Thanks Say I have: ldbsearch --url=ldap://hh1.hh3.site --kerberos=yes --krb5-ccache=$ccache some search stuff How would I add ldap://hh6.hh3.site to that line? Is there a way to pull the fqdn's for both DC's from the directory? (so I can make the script non specific to my domain) Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: 2DC domain. Which ldap:// address do I use, DC1 or DC2?
On 30/07/12 09:43, Daniel Müller wrote: If you use your DCs (using samba4 internal ldap)in replication mode all of your address-books on your Dcs should be equal. Hi Daniel I don't know what you mean by address books. I can scan the directory on OU=domain Controllers and pull out the fqdn's to use from there. Is that it? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: 2DC domain. Which ldap:// address do I use, DC1 or DC2?
On 30/07/12 10:43, Daniel Müller wrote: Thats it. In replication mode all information is equal. So it should not matter which DC you use. OK, got it now. I can change my scripts to cut out the fqdns. My question about how to include multiple ldap://fqdn's on ldbsearch command lines is still unclear however. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: cannot create GPO from XP
Hi everyone S4 install on Debian 6 I can't seem to apply a GPO to an OU in XP. The GPO is created OK, no errors appear in ADUC but nothing appear in the sysvol share. I continue to have only the default: root@capital:/usr/local/samba/var/locks/sysvol/eccmg.cupet.cu/Policies# ls -la total 16 drwsrwsr-x 3 rootstaff 4096 Jul 30 08:56 . drwsrwsr-x 4 rootstaff 4096 Jul 19 09:09 .. drwxrws---+ 5 3000134 users 4096 Jul 30 08:56 {2D2153FA-7AD3-4DE5-94F7-D62B9677DC1A} -rwsrwxr-x 1 rootstaff0 Apr 24 13:47 Policy.ini Can anyone help me know where to start to debug this? I think it may be an acl/permissions issue. What should the parent directory, in my case: /usr/local/samba/var/locks/sysvol/eccmg.cupet.cu be? Not: drwsrwsr-x 4 rootstaff I don't think. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: win7 adding a new user to OU does not inherit GPO
Hi I have an OU with a GPO. If I drag a new user to the OU, they do not inheit the GPO. What do I have to do to have them inherit? I've tried refresh in ADUC and group policy management and rebooting but nothing. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: net ads join fails: Host is not configured as a member server.
Hi everyone I'm trying to join an Ubuntu 12.04 client to a 12.04 Samba4 DC. xp and win7 clients can join fine. Here is my minmal smb.conf realm = POLOP.SITE workgroup = POLOP security = ADS Kerberos is working: kinit Administrator Password for administra...@polop.site: But then it tell me that the DC is _not_ a DC: net ads join -UAdministrator Host is not configured as a member server. Invalid configuration. Exiting Failed to join domain: This operation is only allowed for the PDC of the domain. and: net ads testjoin Failed to open /usr/local/samba/private/secrets.tdb Join to domain is not valid: Access denied Can anyone help me tell the Ubuntu client that it really _is_ a DC? Or WHY. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: net ads join fails: Host is not configured as a member server. [SOLVED]
On 02/08/12 11:03, Gémes Géza wrote: 2012-08-02 09:01 keltezéssel, steve írta: Hi everyone I'm trying to join an Ubuntu 12.04 client to a 12.04 Samba4 DC. xp and win7 clients can join fine. Here is my minmal smb.conf realm = POLOP.SITE workgroup = POLOP security = ADS Kerberos is working: kinit Administrator Password for administra...@polop.site: But then it tell me that the DC is _not_ a DC: net ads join -UAdministrator Host is not configured as a member server. Invalid configuration. Exiting Failed to join domain: This operation is only allowed for the PDC of the domain. and: net ads testjoin Failed to open /usr/local/samba/private/secrets.tdb Join to domain is not valid: Access denied Can anyone help me tell the Ubuntu client that it really _is_ a DC? Or WHY. Cheers, Steve Hi, The most probable reason is having different versions of samba binaries installed. Using net ads ... suggests the use of samba3 client tools installed from packages, the path /usr/local/samba/private/secrets.tdb suggest a Samba built from source via ./configure make make install (which corresponds to a Samba4 install) Regards Geza Gemes Hi Geza Thanks so much. Yes, we had both the Ubuntu 3.6 and the 4.0 beta on the same test box. Our m$ guy had had a go with S4 and obviously succeeded without telling me. To be fair, I should add that it was upon my encouragement. Conclusion. Samba4 is so easy to install that even a windoze admin can do it;-) Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap ignores the range set in smb.conf
Hi server: Ubuntu 12.04 samba4 DC running winbindd client: Ubuntu 12.04 samba 3.6.6 client smb.conf: realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap uid = 30-40 idmap gid = 2-3 The client is joined to AD and users can login. But, for example, a user does not correspond to the 30-4 range set: POLOP\joseph-p:*:20003:2:joseph-p:/home/POLOP/joseph-p:/bin/bash I've cleared winbindd_idmap.tdb from winbindd_idmap.tdb on the client and restarted winbind and nscd is stopped. What am I doing wrong? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind is it possible to have the same uid and gid numbers everywhere?
Hi Is it possible simply to have the uid/gid pair I set on the server on the clients too? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind is it possible to have the same uid and gid numbers everywhere?
On 02/08/12 13:54, NdK wrote: Il 02/08/2012 13:21, steve ha scritto: Is it possible simply to have the uid/gid pair I set on the server on the clients too? Yes and no. Actually, it depends on your setup. If you have a domain, you can. If not, I doubt... BYtE, Diego Hi Diego Yes, I have a Samba4 domain with Samba3.6 Linux clients attached. It works OK but the idmap is really confusing. I'd like to be able to use getent passwd and see the same uid:gid pair of numbers on both DC and client. At the moment, the client side ignores the idmap uid range and bases everything in the idmap gid range instead. Maybe that is a bug in Samba3? Client smb.conf: [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap uid = 30-40 idmap gid = 2-3 Ubuntu 12.04 Samba4 DC and Ubuntu 12.04 Samba3 clients. Is what I want a possibility? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind: uid range is ignored
Hi everone. Ubuntu 12.04 v3.6 clients with winbind joined to 12.04 Samba4 DC Clients: smb.conf [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap uid = 30-40 idmap gid = 2-3 /etc/nsswitch.conf passwd: compat winbind group: compat winbind Problem: The uid range is ignored. Both uid and gid come from the gid range. e.g.: getent passwd steve2 POLOP\steve2:*:20007:2:steve2:/home/POLOP/steve2:/bin/bash Why is the uid range of 30-40 ignored? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 02/08/12 17:14, Bjoern Baumbach wrote: Hi Steve, please use idmap config * : range = ... instead of idmap uid/gid. Thanks Jonathan and Bjoern I have that now. I chose: idmap config * : range = 3-4 I have deleted the winbind files from /var/lib/samba and /var/cache/samba and restarted smbd and winbind but the idmap ranges are still at the old values. In fact they are the same numerical values as on the DC e.g. -rw-r--r-- 1 337 20513 0 Aug 2 17:34 file1 Back on the DC/fileserver that is correctly mapped as: -rw-r--r-- 1 POLOP\steve2 Domain Users 0 Aug 2 17:34 file1 Is there a cache somewhere else? I have even totally purged the whole of samba and reinstalled from nothing but still the old values reappear. How do I lose the old values so it accepts my new range and maps the files correctly as humanly readable uid:gid pairs rather than numbers? nscd is not active. cheers Steve /etc/samba/smb.conf [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap config * : backend = tdb idmap config * : range = 3-4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 02/08/12 18:16, Gémes Géza wrote: 2012-08-02 17:45 keltezéssel, steve írta: On 02/08/12 17:14, Bjoern Baumbach wrote: Hi Steve, please use idmap config * : range = ... instead of idmap uid/gid. Thanks Jonathan and Bjoern I have that now. I chose: idmap config * : range = 3-4 I have deleted the winbind files from /var/lib/samba and /var/cache/samba and restarted smbd and winbind but the idmap ranges are still at the old values. In fact they are the same numerical values as on the DC e.g. -rw-r--r-- 1 337 20513 0 Aug 2 17:34 file1 Back on the DC/fileserver that is correctly mapped as: -rw-r--r-- 1 POLOP\steve2 Domain Users 0 Aug 2 17:34 file1 Is there a cache somewhere else? I have even totally purged the whole of samba and reinstalled from nothing but still the old values reappear. How do I lose the old values so it accepts my new range and maps the files correctly as humanly readable uid:gid pairs rather than numbers? nscd is not active. cheers Steve /etc/samba/smb.conf [global] realm = polop.site workgroup = POLOP security = ADS wide links = Yes unix extensions = No template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes idmap config * : backend = tdb idmap config * : range = 3-4 I would suggest using idmap_ad: http://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Regards Geza Gemes Hi Geza No. In this case it is a pure-by-the-book winbind test lan. The problem is this: Here is my id: POLOP\steve2@ubuntu1:~$ id uid=30007(POLOP\steve2) gid=30014(POLOP\domain users) groups=30014(POLOP\domain users),30016(POLOP\staff),30018(BUILTIN\users) When I create a file, I want to see a uid:gid of POLOP\steve2 POLOP\domain users (as indeed I do back on the fileserver/DC) But on the client, I see only the uid:gid _numbers_ which are stored in idmap.ldb on the server: POLOP\steve2@ubuntu1:~$ touch afile POLOP\steve2@ubuntu1:~$ ls -l afile -rw-r--r-- 1 337 20513 0 Aug 2 18:34 afile How do I convert 337 to POLOP\steve2 and 20513 to POLOP\domain users on the client? The shares are mounted via kerberized nfs on the client and _did_ map correctly before this thread started. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 02/08/12 20:57, NdK wrote: Il 02/08/2012 18:42, steve ha scritto: The shares are mounted via kerberized nfs on the client and _did_ map correctly before this thread started. Are you sure you updated /etc/nnsswitch.conf to use winbind after purging the old Samba install? BYtE, Diego. Hi Yes, I have passwd: files winbind group: files winbind getent passwd/group works fine. I get the names and coresponding uid:gid numbers within the range specified in smb.conf but all I get when I list files on the nfs share, are numerical uid:gid values. I want those values to be DOMAIN\username DOMAIN\group rather than numerical values. How do I do that? The uid:gid values are not in the range set in smb.conf. They are the uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring winbind. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 03/08/12 09:01, NdK wrote: Il 03/08/2012 08:01, steve ha scritto: getent passwd/group works fine. I get the names and coresponding uid:gid numbers within the range specified in smb.conf but all I get when I list files on the nfs share, are numerical uid:gid values. I want those values to be DOMAIN\username DOMAIN\group rather than numerical values. How do I do that? Use *the same* range on both server and clients. Hi Diego Thanks for your patience in helping me sort this. It doesn't seem to matter. I can have the same id range on both server and client. What is uid 327 on the server becomes uid 302 on the client. The uid:gid values are not in the range set in smb.conf. They are the uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring winbind. Obvious. NFS passes *numeric* IDs, so if a file is owned by userid 123456 on the server, then the client will see the same 123456 uid. That, if not correctly mapped, would give another user access to it (negating access to the original one). That's exactly my point. My 327 maps correctly to DOMAIN\steve2 on the server but getent passwd on the client gives DOMAIN\steve2 as 302. If steve2 logs in and creates a file it becomes uid 327 and _not_ 302. If winbind is doing the mapping correctly it should map 327 to 302 and when I list a file that I have made it should give me back a uid of DOMAIN\steve2. It doesn't. The file created has uid 327 which works _but_ I want to see uid's as names, not numbers. I've also tried adding posixAccount, uidNumber and gidNumber to pull the uid:gid directly from AD with: idmap config * : backend = ad but then, getent passwd gives me no list of users. Really stuck on this one. . . The client is Ubuntu 12.04 with samba 3.6.3. Maybe 3.6.3 has bugs? Cheers, steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 03/08/12 10:22, steve wrote: On 03/08/12 09:01, NdK wrote: Il 03/08/2012 08:01, steve ha scritto: It looks as though it's this: https://bugzilla.samba.org/show_bug.cgi?id=8676 Ubuntu 12.04 ships with 3.6.3 :-( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 03/08/12 11:03, Gémes Géza wrote: 2012-08-03 10:22 keltezéssel, steve írta: On 03/08/12 09:01, NdK wrote: Il 03/08/2012 08:01, steve ha scritto: getent passwd/group works fine. I get the names and coresponding uid:gid numbers within the range specified in smb.conf but all I get when I list files on the nfs share, are numerical uid:gid values. I want those values to be DOMAIN\username DOMAIN\group rather than numerical values. How do I do that? Use *the same* range on both server and clients. Hi Diego Thanks for your patience in helping me sort this. It doesn't seem to matter. I can have the same id range on both server and client. What is uid 327 on the server becomes uid 302 on the client. The uid:gid values are not in the range set in smb.conf. They are the uid:gid values in idmap _on the server_. Its as if nsswitch is ignoring winbind. Obvious. NFS passes *numeric* IDs, so if a file is owned by userid 123456 on the server, then the client will see the same 123456 uid. That, if not correctly mapped, would give another user access to it (negating access to the original one). That's exactly my point. My 327 maps correctly to DOMAIN\steve2 on the server but getent passwd on the client gives DOMAIN\steve2 as 302. If steve2 logs in and creates a file it becomes uid 327 and _not_ 302. If winbind is doing the mapping correctly it should map 327 to 302 and when I list a file that I have made it should give me back a uid of DOMAIN\steve2. It doesn't. The file created has uid 327 which works _but_ I want to see uid's as names, not numbers. I've also tried adding posixAccount, uidNumber and gidNumber to pull the uid:gid directly from AD with: idmap config * : backend = ad but then, getent passwd gives me no list of users. Really stuck on this one. . . The client is Ubuntu 12.04 with samba 3.6.3. Maybe 3.6.3 has bugs? Cheers, steve Please try with idmap backend = tdb idmap uid = some uninteresting range idmap gid = some uninteresting range idmap config YOURDOMAINNAMEHERE : backend = ad idmap config YOURDOMAINNAMEHERE : range = the range you want your uids/gids to be Like in http://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html Regards Geza Gemes Thanks again Geza Am doing a total client reinstall atm, but that looks good. On the DC, I take it that for a user object I shall need: objectClass: posixAccount uidNumber: 123 gidNumber: 456 and for a group object objectClass: posixGroup gidNumber: 456 Question: 1. Does the config you give go on both DC and client? 2. confusion: This: https://wiki.samba.org/index.php/Samba_3.6_Features_added/changed says that idmap uid = some uninteresting range idmap gid = some uninteresting range has been replaced by: idmap config YOURDOMAINNAMEHERE : range= the range you want your uids/gids to be Should I remove the: idmap uid = some uninteresting range idmap gid = some uninteresting range My gidNumbers start at 20513 (Domain Users) and my last uidNumber is currenlty 3000157 so how about: idmap config YOURDOMAINNAMEHERE : range=2-400 ? 3. If uidNumber and gidNumber are pulled from AD, why do I need to specify a range? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap confusion
Three unfathormable questions: 1. What's the difference between: idmap_ldb : use rfc2307 = Yes and idmap config * : backend = ad 2. Do the terms in (1) above apply equally to Samba4 beta6 and Samba 3.6.3? 3. If I specify either in (1) then idmap config : range = abc-xyz becomes meaningless. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 03/08/12 13:07, NdK wrote: Il 03/08/2012 10:22, steve ha scritto: It doesn't seem to matter. I can have the same id range on both server and client. What is uid 327 on the server becomes uid 302 on the client. Remember to delete all .tdb files and rejoin the machine between tests w/ different backends, or you'll get big troubles. Since you can control your domain, stick to ad backend. And remember to keep uids/gids stored in AD in a safe range (less than 500 and ... wooops! -- remember 0 is root, that could get squashed to nobody by NFS). Hope reinstall brings you good news :) BYtE, Diego. Hi Diego Thanks for the tip. In fact, Samba4 defaults to 30-40 which I think is pretty safe? My main problem is on the 3.6 client where the ad backend is not honoured. As you say, I've gone for a reinstall with an openSUSE client which has a patched 3.6.6 so hoping. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 03/08/12 13:54, NdK wrote: Il 03/08/2012 13:18, steve ha scritto: Thanks for the tip. In fact, Samba4 defaults to 30-40 which I think is pretty safe? Only for a small domain... In our tree it would be WAY too small (could contain no more than about 20% of the groups we have in a single domain...). My main problem is on the 3.6 client where the ad backend is not honoured. As you say, I've gone for a reinstall with an openSUSE client which has a patched 3.6.6 so hoping. . . Might even be that not honoured was simply due to caching: you had tdb backend (that assigns uids/gids sequentially as needed), then switched to rid, but cache still contained old values from tdb. That's why I told you to temove *all* .tdb files and rejoin. Hi Diego That's quite easy in Samba3 but which tdb's must I remove in Samba4? In fact, how would I rejoin the DC to itself? Cheers, steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: idmap config DOMAIN : backend = ad
Hi I (deliberately for test purposes) have only one object with: posixAccount uidNumber gidNumber and only one object with: posixGroup gidNumber The gidNumbers are the same for both. getent passwd and getent group still however list all users and all groups regardless. Is there a cache I need to clear or is that the intended behavior? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap confusion
On 03/08/12 13:39, Gémes Géza wrote: 2012-08-03 13:07 keltezéssel, steve írta: Three unfathormable questions: 1. What's the difference between: idmap_ldb : use rfc2307 = Yes It is a samba4 winbind setting, so you need it on the Samba4 AD controller only and idmap config * : backend = ad the correct form is: idmap config SOMEDOMAINNAME : backend =ad and instructs the winbind from the samba3 suite to look up the uids gids from AD for accounts in SOMEDOMAINNAME 2. Do the terms in (1) above apply equally to Samba4 beta6 and Samba 3.6.3? 3. If I specify either in (1) then idmap config : range = abc-xyz becomes meaningless. No. With idmap_ad you map all not specifically configured domains using: idmap backend = tdb idmap uid = some uninteresting range idmap gid = some uninteresting range then for each DOMAIN you want to get the idmap information from the AD, you specify: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range idmap config INTERESTINGDOMAIN2 : backend = ad idmap config INTERESTINGDOMAIN2 : range = second range and so on. Cheers, Steve Regards Geza Hi Geza On the Samba4 DC: Despite having: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range and with /etc/nsswitch.conf passwd: compat winbind group: compat winbind getent passwd/group return _all_ objects with or without posixAccount uidNumber or posixGroup gidNumber. I expected that with those settings, getent passwd would return only e.g. users with a uidNumber. Maybe I have a tdb to clear somewhere? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 04/08/12 09:39, NdK wrote: Il 03/08/2012 16:21, steve ha scritto: That's quite easy in Samba3 but which tdb's must I remove in Samba4? In fact, how would I rejoin the DC to itself? You shouldn't use DCs for anything else other than DC. No file server. No gateway. *Nothing*. They're a crytical piece of your network infrastructure and must be as closed as possible. Hi Diego. Hi everyone I'd like to have a separate fileserver running s3fs on another Samba4 installation. Could I do that by installing Samba4 and joining the domain as a member rather than a DC? The NFS server doesn't care about Samba at all: it reveives UIDs adn GIDs and stores 'em as given. No mapping happens here. Yep. Got that bit What makes me think you have a *big* misunderstanding about what winbnd mapping does is this sentence from another message: If winbind is doing the mapping correctly it should map 327 to 302 Yes, I did misunderstand that. I've now adjusted my brain to match:-) No. Winbind maps back and forth between user *names* (and groups) and *UIDs* (and GIDs), not between server UIDs and local GIDs ! It doesn't know if an UID is local or from a server. So, that means that (given no other kind of access to the NFS server is allowed) it's enough that all your *clients* use the same mapping between SIDs and UIDs/GIDs and you're OK. If not, you have a big problem. You have many ways to obtain that same mapping objective. I chose to use rid 'cause I couldn't modify my AD schema. But the preferred way is extend AD schema and specify there the UIDs and GIDs. You don't have to extend the schema. You can store all the rfc2307 attributes and objects (posixAccount, posixGroup, uidNumber,gidNumber. . .) in the m$ schema that ships with S4. Hope this helps to clarify. Yes it does. Thank you. My aim is to have: idmap config : MYDOMAIN : backend = ad and idmap config : MYDOMAIN : range = abc-def recognised and with the uidNumber and gidNumber attributes being pulled from AD rather than any other mapping. To this end I have a test user user object with: objectClass: posixAccount uidNumber: xyz gidNumber abc and a test group object: objectClass: posixGroup gidNumber: abc I assume that with the ad backend both the user and group will come from AD and not idmap. Just waiting for the test lan to install and compile a totally new openSUSE 12.1 with Samba4 and a vBox openSUSE client, also fresh install. How am I doing? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap confusion
On 03/08/12 21:54, Gémes Géza wrote: 2012-08-03 18:46 keltezéssel, steve írta: On 03/08/12 13:39, Gémes Géza wrote: 2012-08-03 13:07 keltezéssel, steve írta: Three unfathormable questions: 1. What's the difference between: idmap_ldb : use rfc2307 = Yes It is a samba4 winbind setting, so you need it on the Samba4 AD controller only and idmap config * : backend = ad the correct form is: idmap config SOMEDOMAINNAME : backend =ad and instructs the winbind from the samba3 suite to look up the uids gids from AD for accounts in SOMEDOMAINNAME 2. Do the terms in (1) above apply equally to Samba4 beta6 and Samba 3.6.3? 3. If I specify either in (1) then idmap config : range = abc-xyz becomes meaningless. No. With idmap_ad you map all not specifically configured domains using: idmap backend = tdb idmap uid = some uninteresting range idmap gid = some uninteresting range then for each DOMAIN you want to get the idmap information from the AD, you specify: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range idmap config INTERESTINGDOMAIN2 : backend = ad idmap config INTERESTINGDOMAIN2 : range = second range and so on. Cheers, Steve Regards Geza Hi Geza On the Samba4 DC: Despite having: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = first range No! You have misunderstood how things work currently. On Samba4 those settings have NO meaning. The only smb.conf setting which is meaningful for the samba4 winbind is that with rfc2307 All the idmap_ad options have to be written in the samba3 clients smb.conf Ho Geza Thanks. Got it. Samba4 DC: idmap_ldb use : rfc2307 = Yes Samba3.6 client: idmap config INTERESTINGDOMAIN1 : backend = ad idmap config INTERESTINGDOMAIN1 : range = abitlessthanlowestnumberIhaveforUID/GID - abitbiggerthanthe biggestnumberforUID/GID How does that look? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 04/08/12 13:21, NdK wrote: Il 04/08/2012 12:00, steve ha scritto: You have many ways to obtain that same mapping objective. I chose to use rid 'cause I couldn't modify my AD schema. But the preferred way is extend AD schema and specify there the UIDs and GIDs. You don't have to extend the schema. You can store all the rfc2307 attributes and objects (posixAccount, posixGroup, uidNumber,gidNumber. . .) in the m$ schema that ships with S4. Too bad my AD controllers are M$ W2k3, w/o rfc2307 extension :( That's why I'm stuck with rid. Hi Diego. Ah I see. I didn't mean to offend. I simply assumed you were using Samba4. I think m$ gave them the 2008 schema as a result of a court case. That _does_ have rfc2307. With your and Geza's help I think I'm finally getting somewhere. My aim is to have: idmap config : MYDOMAIN : backend = ad and idmap config : MYDOMAIN : range = abc-def recognised and with the uidNumber and gidNumber attributes being pulled from AD rather than any other mapping. To this end I have a test user user object with: objectClass: posixAccount uidNumber: xyz gidNumber abc and a test group object: objectClass: posixGroup gidNumber: abc I assume that with the ad backend both the user and group will come from AD and not idmap. Well, idmap queries its backend for the mapping. Just waiting for the test lan to install and compile a totally new openSUSE 12.1 with Samba4 and a vBox openSUSE client, also fresh install. How am I doing? Should work at the first try. Really need this one. I have to compare winbind with nss-ldapd to do this stuff. Have the latter going fine. But someone else that already used S4 and AD backend can confirm for sure. :) Hope so. There must be someone else out there. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 04/08/12 20:34, NdK wrote: Il 04/08/2012 13:40, steve ha scritto: Too bad my AD controllers are M$ W2k3, w/o rfc2307 extension :( That's why I'm stuck with rid. Ah I see. I didn't mean to offend. No offense perceived :) Hi That's good to know it wasn't a misunderstanding. Most of our LAN uses Linux with only a few m$ boxes. The Samba4 LDAP is excellent compared to openLDAP, so I guess that's our main priority. What I _do_ have is is fast mapping via nss-pam-ldapd, where everything just works. All rfc2307 comes from the directory by default. Anything you like. loginShell, uinixHomeDirectory. . . On a per user or group basis. Total flexibility. In comparison, winbind seems overcomplicated and restrictive (and simply does not work with either Ubuntu nor openSUSE 3.6.3). It also seems very restricted in that we have turn off unix attributes and use wide links so we can symlink to the only available folder for unixHomeDirectory. Anyway, I've not given up yet, but it really does look like winbind is past it's sell by date;) Cheers and thanks for your continued support, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 winbind getent and login
Hi With Samba4 winbind, getent passwd gives users as: WORKGROUP\user and you can login as either WORKGROUP\user or user. getent group lists only the group without the WORKGROUP\group and in a listing of files the group is only listed as group (without the WORKGROUP\ part) Is this the expected behaviour? On Samba3 winbind, both users and groups display the WORKGROUP\ prefix and you have to login with the prefix attached. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 is it possible to change the IP of a DC?
Hi I need to change the IP of a DC from 192.168.1.6 to 192.168.1.8 I did so and restarted bind but on running samba_dnsupdate I get errors: samba_dnsupdate --verbose IPs: ['fe80::212:f0ff:fe06:9cda%eth1', '192.168.1.8'] Looking for DNS entry A polop.site 192.168.1.8 as polop.site. Failed to find matching DNS entry A polop.site 192.168.1.8 Looking for DNS entry A sam4dc.polop.site 192.168.1.8 as sam4dc.polop.site. Failed to find matching DNS entry A sam4dc.polop.site 192.168.1.8 Looking for DNS entry A gc._msdcs.polop.site 192.168.1.8 as gc._msdcs.polop.site. Failed to find matching DNS entry A gc._msdcs.polop.site 192.168.1.8 Kerberos fails: Traceback (most recent call last): File /usr/local/samba/sbin/samba_dnsupdate, line 485, in module get_credentials(lp) File /usr/local/samba/sbin/samba_dnsupdate, line 120, in get_credentials creds.get_named_ccache(lp, ccachename) RuntimeError: kinit for SAM4DC$@POLOP.SITE failed (Cannot contact any KDC for requested realm) Is it possible to change the IP? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes Note you can get nested groups this way, something I don't think nss-ldapd provides. It does work I have it in production for over 1500 users right now with some 900 active SMB sessions. Hi Jonathan Is that with Samba3 or 4? I just tried it with Samba4 with unixHomeDirectory in AD. I removed template homedir =, created the user directory and gave it the correct permissions, but logging in, winbind tries to create the directory: su steve2 Creating directory ''. Unable to create and initialize directory ''. su: Permission denied Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getent group not working
Hi Ubuntu 12.04 LTS client with 3.6.3 joined to the Samba4 AD domain. smb.conf winbind enum users = Yes winbind enum groups = Yes idmap config *:backend=tdb idmap config *:range=1-1 idmap config ALTEA:backend=ad idmap config ALTEA:range=2-4000 getent passwd and wbinfo -u returns all AD users correctly wbinfo -g returns all AD groups correctly getent group fails. Only local groups are returned. getent group works OK on the Samba4 DC. I have disabled firewalls at both ends and torn down apparmor at both ends. Any ideas anyone? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 16:13, Rowland Penny wrote: On 08/08/12 14:45, Jonathan Buzzard wrote: On 08/08/12 13:36, Rowland Penny wrote: [SNIP] Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. ok, I removed the line and ran 'getent group HOME\\linuxusers' This returned 'HOME\linuxusers:x:312:', this is just the same as before but with the domain name stuck on the front, 'getent group' still returns nothing. So as I see it, with ''winbind use default domain = yes' in smb.conf, you do not need to give the domain name, but without it you do. I still do not see why 'getent group' does not return anything but local groups. Rowland OK getent passwd works as does wbinfo -u/-g getent passwd doesn't My workgroup is ALTEA I create a group staff2 with posixGroup and gidNumber of 21114 This works: getent group ALTEA\\staff2 ALTEA\staff2:x:21114: Back on the Samba4 DC at debug 3 the getent group command gives around 50 of these: ldb: ldb: dnAttributes extended match not supported yet getent group (without specifying a WORKGROUP\\group) returns only local groups. Unfortunately the question remains the same. Why does getent group return only local users? Is this just Ubuntu 12.04 with Samba 3.6.3? Can anyone confirm that it works on other distros? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 08/08/12 10:40, Jonathan Buzzard wrote: On 08/08/12 08:49, steve wrote: On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: Uh? wide links seems a bad idea to me... At least from a security perspective. Why a single home directory? We have a single NFS share containing folders for the two domains and inside those a folder for each home. We are trying to migrate away from that, preferring a '[homes]' share where users will place the data they want to have available on every PC. This way even Firefox should work... Hi Diego We have home directories like: home2/staff home2/students/7a home2/students/7b Winbind allows only one template homedir and all user home folders must reside there (or tell me otherwise). The only way we can have what we want is: 1. use nss-ldapd and store the true uinixHomeDirectory in AD 2. winbind. We have a symlink in template homedir to the real data. For that we need wide links. 3. Use winbind to store the true unixHomeDirectory in AD. Hi If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as it's concerned, all home directories have to be in template homedir. How would I use winbind to store it? This is why we tend toward 1. nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only uidNumber and gidNumber. It doesn't sem to give you any control over login shell and unixHomeDirectory. Everyone has the same shell and homedir. Well it's read only, winbind pulls the information from the AD, but take out your template homedir/shell lines from smb.conf and do something like winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind enum users = yes winbind enum groups = yes Thanks Jonathan I got it working. It needed a schema_mode line: idmap config MYDOMAIN:schema_mode = rfc2307 I can now finally remove wide links = Yes :-) nss-winbind seems slow. You can see the results of getent passwd appearing one at a time. With nss-ldapd, the second time you do a getent, it's instantaneous. Is there perhaps a cache I'm missing for winbind? (I have nscd turned off) Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind: uid range is ignored
On 08/08/2012 05:57 PM, Jonathan Buzzard wrote: On 08/08/12 16:41, steve wrote: On 08/08/12 10:40, Jonathan Buzzard wrote: On 08/08/12 08:49, steve wrote: On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: steve wrote: On 07/08/12 16:15, Jonathan Buzzard wrote: On 07/08/12 15:10, steve wrote: On 04/08/12 22:06, NdK wrote: Il 04/08/2012 21:13, steve ha scritto: nss-winbind seems slow. You can see the results of getent passwd appearing one at a time. With nss-ldapd, the second time you do a getent, it's instantaneous. Is there perhaps a cache I'm missing for winbind? (I have nscd turned off) Noting that nscd and winbind don't work properly together, the settings I use are idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 Performance seems good to me, especially once cached. Much better. After e.g. 4 or 5 getent's it speeds up considerably. Presumably getent populates the cache? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/2012 05:58 PM, Jonathan Buzzard wrote: On 08/08/12 15:13, Rowland Penny wrote: On 08/08/12 14:45, Jonathan Buzzard wrote: On 08/08/12 13:36, Rowland Penny wrote: [SNIP] More info, with 'winbind use default domain = yes' in smb.conf on the client, 'getent group linuxusers' returns the info. Remove 'winbind use default domain = yes' from smb.conf and restart nmbd,smbd winbind, 'getent group linuxusers' now returns nothing, put the line back restart the daemons and the info comes back. Why does one line in smb.conf make such a big difference? Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. ok, I removed the line and ran 'getent group HOME\\linuxusers' This returned 'HOME\linuxusers:x:312:', this is just the same as before but with the domain name stuck on the front, 'getent group' still returns nothing. So as I see it, with ''winbind use default domain = yes' in smb.conf, you do not need to give the domain name, but without it you do. I still do not see why 'getent group' does not return anything but local groups. You did make sure to nuke any DB's that Samba might have created locally when switching between the two? Hi I just physically removed /var/lib/samba and /var/cache/samba and did apt-get purge samba winbind samba-common. Then reinstalled over bare metal. _Still_ only local groups from getent group. It works fine. We can login and files are shown as being owned by e.g. WORKGROUP\steve WORKGROUP\domain users It would just be nice to be able to see the groups listed by getent group. That's all. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: rfc2307 compatibility with Samba3
Hi In Samba3, I have full rfc2307 compliance via winbind where all attributes can be obtained from AD. In Samba4 I only have partial rfc2307 compatibility with: idmap_ldb:use rfc2307 = yes uidNumber and gidNumber can be obtained from AD but uinxHomeDirectory and loginShell are missing. The workarounds are to use the winbind [homes] share and link from there to the real unixHomeDirectory or else use nss-ldapd. Is it planned that Samba4 winbind will inherit all of rfc2307 at some stage? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: winbind does not grant kerberos authentication
Hi I have winbind setup and authentication is OK. auth_check_password_send: Checking password for samba4 log: unmapped user [ALTEA]\[lynn2]@[HH30] auth_check_password_send: mapped user is: [ALTEA]\[lynn2]@[HH30] Linux log: Aug 12 09:05:00 hh30 su: pam_winbind(su:auth): getting password (0x) Aug 12 09:05:01 hh30 su: pam_winbind(su:auth): user 'ALTEA\lynn2' granted access Aug 12 09:05:01 hh30 su: pam_winbind(su:account): user 'ALTEA\lynn2' granted access Aug 12 09:05:01 hh30 su: (to ALTEA\lynn2) steve on /dev/pts/2 However, the user cannot access his kerberized nfs home directory because he does not have a ticket. He has to do a kinit before he can access the nfs share. Here are the pam settings: authrequiredpam_env.so auth sufficient pam_winbind.so authsufficientpam_unix2.souse_first_pass authsufficientpam_krb5.souse_first_pass authrequiredpam_deny.so account sufficient pam_winbind.so accountrequisitepam_unix2.so accountrequiredpam_krb5.souse_first_pass ignore_unknown_principals accountrequiredpam_localuser.so session required pam_winbind.so sessionrequiredpam_limits.so sessionrequiredpam_unix2.so sessionoptionalpam_krb5.so sessionoptionalpam_umask.so sessionoptionalpam_systemd.so in /etc/nsswitch.conf: passwd: files winbind group: files winbind I've tried putting the pam_krb5.so entry before the winbind entry but then we cannot authenticate because ALTEAlynn2 (not lynn2 nor ALTEA\lynn2) is passed to Kerberos and of course ALTEAlynn2 is not found in the database. How do I get winbind authentication and Kerberos authentication at the same time? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hallo, Andrew, Du meintest am 11.08.12: In Samba3, I have full rfc2307 compliance via winbind where all attributes can be obtained from AD. In Samba4 I only have partial rfc2307 compatibility with: idmap_ldb:use rfc2307 = yes uidNumber and gidNumber can be obtained from AD but uinxHomeDirectory and loginShell are missing. [...] At this stage, we still don't recommend combining file server and DC functions. By separating these functions onto different (virtual) servers, you can avoid this issue. Sorry - that sounds ugly. I prefer using samba as a combined system for SOHO (especially for schools). And working with several servers (especially virtual servers) is not attractive for someone who looks for the server as a second or third job, beneath his/her main job. I would rather advertise a narrower, known to work set of functionality than to promise broader features than we know works well in production experience. In particular, we know about the limitations that Steve mentions, and we know the workaround: don't mix the file server and AD DC. Andrew Bartlett Hi Does this mean having one Samba4 machine as the DC and another Samba4 (e.g. Vbox) machine joined to it as a member to act as fileserver? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
On 12/08/12 09:31, steve wrote: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hallo, Andrew, Du meintest am 11.08.12: Hi Does this mean having one Samba4 machine as the DC and another Samba4 (e.g. Vbox) machine joined to it as a member to act as fileserver? Cheers, Steve But hang on. That wouldn't work either. Would we need to completely ditch s3fs for rfc2307 to work? What's wrong with nss-ldapd instead, or in the meanwhile until winbind and s3fs catches up? How would I setup the a recommended, official Samba fileserver? Is it a Samba 3.6 machine on VBox? Normally, I create a user on the DC, give him rfc2307 classes and attributes and create his home directory. When the user is created, I also create the whole of his login to both Linux and windows machines. I can do that with the DC and fileserver as the same machine by bypassing winbind and using nss-pam-ldapd. All the user has to do is choose whether to use a Linux or windows box. Confused. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
On 12/08/12 15:26, Gémes Géza wrote: Hi, Hi all, I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine. I've configured AD to use it's services for unix feature, and through that, I got a Unix Attributes tab where I could enter fields like uid, home dir, shell, and primary GID. My few questions: 1. Am I supposed to configure Samba to use rfc2307, or sfu? 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range. 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config: /var/run/samba/gencache* /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb Any thoughts about the need/value to delete these temp files is appreciated. 4. Finally, does anyone have suggestions of other things I can try? thanks very much. best, -Nick According to man idmap_ad you should have a generic idmap backend line as well, like: idmap backend = tdb idmap uid range = some uninteresting range idmap gid range = some uninteresting range S3.6 complains about deprecation here and only accepts the gid range. I've wrote uninteresting range, because you should specify a range you haven't placed you users via ADUC [global] (from my smb.conf) workgroup = CORP server string = %h server (Samba, Ubuntu) security = ADS realm = CORP.xxx.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config CORP : range = 1000 - 9 idmap config * : default = yes #idmap config * : backend = tdb #idmap config * : range = 10 - 19 idmap config * : range = 900 - 1999 encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 When I perform an ldapsearch against my server, I see these attributes, among others: msSFU30Name: nick msSFU30NisDomain: corp uidNumber: 1001 gidNumber: 1000 unixHomeDirectory: /home/nick loginShell: /bin/bash Regards Geza Hi Here is a 3.6.3 config that works against Samba4 AD. There is no need for m$ sfu. 2008 R2 and Samba4 both allow full rfc2307 out of the box: [global] realm = polop.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes #winbind use default domain = Yes HTH Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
On 12/08/12 15:28, Gémes Géza wrote: 2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hallo, Andrew, Du meintest am 11.08.12: In Samba3, I have full rfc2307 compliance via winbind where all attributes can be obtained from AD. In Samba4 I only have partial rfc2307 compatibility with: idmap_ldb:use rfc2307 = yes uidNumber and gidNumber can be obtained from AD but uinxHomeDirectory and loginShell are missing. [...] At this stage, we still don't recommend combining file server and DC functions. By separating these functions onto different (virtual) servers, you can avoid this issue. Sorry - that sounds ugly. I prefer using samba as a combined system for SOHO (especially for schools). And working with several servers (especially virtual servers) is not attractive for someone who looks for the server as a second or third job, beneath his/her main job. I would rather advertise a narrower, known to work set of functionality than to promise broader features than we know works well in production experience. In particular, we know about the limitations that Steve mentions, and we know the workaround: don't mix the file server and AD DC. Andrew Bartlett Hi Does this mean having one Samba4 machine as the DC and another Samba4 (e.g. Vbox) machine joined to it as a member to act as fileserver? Cheers, Steve If you don't want to use the second box interactively yes, if you intend to login there, or have home directories served from there better install Samba3.6 on it. Regards Geza Hi Geza, hi everyone OK, conclusion. I have a single box with s4 DC. The same same box with a Vbox guest running S3.6, and NFS. The S4 DC becomes a NFS client when I mount the shares from the Vbox guest on it. I create users and their home directories on the DC. Files are served from the S3 Vbox guest. The DC has no shares apart from [global], [netlogon] and [sysvol]. The s3 guest carries all the shares I would normally add after the 3 default DC shares. Instead of using the hostname of the DC when I mount shares on remote clients, I use the hostname of the S3 Guest. How am I doing so far? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
On 08/12/2012 08:49 PM, Nick Triantos wrote: Thanks very much. For some reason, this time, when I uncommented those idmap range lines, it all worked. Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users Computers where I could set stuff like shell, uid, etc. thanks, -Nick Hi Nick We just wrote a quick script add users and setup some sensible defaults: In this example: Our unixHomeDirectory is under /home2 and we gave the Domain Users group a gidNumber of 20513 Or DC is called hh3. samba-tool user add $1 echo Updating directory with uid $uid sleep 1 echo dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectClass objectClass: posixAccount - add: uidNumber uidNumber: $uid - add: gidNumber gidNumber: 20513 - add: unixHomeDirectory unixHomeDirectory: /home2/$2/$1 - add: loginShell loginShell: /bin/bash - add: profilePath profilePath: hh30\\profiles\\$1 - add: homeDirectory homeDirectory: hh30\\$2\\$1 - add: homeDrive homeDrive: Z: /tmp/$1 ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/$1 We also have a full script called s4bind which does everything for users and groups for you without ever touching a windows box: http://linuxcostablanca.blogspot.com.es/p/s4bind.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
On 08/12/2012 08:49 PM, Nick Triantos wrote: Thanks very much. For some reason, this time, when I uncommented those idmap range lines, it all worked. Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users Computers where I could set stuff like shell, uid, etc. thanks, -Nick Hi Nick Just knock up a quick script. Here's one we made using an idea from Geza. It's specific to our domain but you can easily change it: #!/bin/bash # get next uid getent passwd | cut -d : -f3 /tmp/uid sort -n /tmp/uid -o /tmp/uid highuid=$(tail -1 /tmp/uid) uid=$(($highuid+1)) echo $uid $highuid # tidy up rm /tmp/uid samba-tool user add $1 echo Updating directory with uid $uid sleep 1 echo dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectClass objectClass: posixAccount - add: uidNumber uidNumber: $uid - add: gidNumber gidNumber: 20513 - add: unixHomeDirectory unixHomeDirectory: /home2/$2/$1 - add: loginShell loginShell: /bin/bash - add: profilePath profilePath: hh30\\profiles\\$1 - add: homeDirectory homeDirectory: hh30\\$2\\$1 - add: homeDrive homeDrive: Z: /tmp/$1 ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/$1 sleep 1 mkdir /home2/$2/$1 chown $uid:20513 /home2/$2/$1 #So we can login on the DC too if/when we use winbind ln -s /home2/$2/$1 /home/ALTEA samba-tool user setexpiry $1 --noexpiry echo $1 created sleep 1 getent passwd $1 There is a full blown (non domain specific) set of utilities for handling all AD objects from the DC without ever touching a m$ box here: http://linuxcostablanca.blogspot.com.es/p/s4bind.html HTH Steve http://linuxcostablanca.blogspot.com.es/p/s4bind.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
On 12/08/12 17:45, Gémes Géza wrote: 2012-08-12 16:26 keltezéssel, steve írta: On 12/08/12 15:28, Gémes Géza wrote: 2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hi Geza, hi everyone OK, conclusion. I have a single box with s4 DC. The same same box with a Vbox guest running S3.6, and NFS. The S4 DC becomes a NFS client when I mount the shares from the Vbox guest on it. I create users and their home directories on the DC. Files are served from the S3 Vbox guest. The DC has no shares apart from [global], [netlogon] and [sysvol]. The s3 guest carries all the shares I would normally add after the 3 default DC shares. Instead of using the hostname of the DC when I mount shares on remote clients, I use the hostname of the S3 Guest. How am I doing so far? Cheers, Steve Hi, IMHO what you've written could be a short HOWTO for using Samba4 in a network (maybe just without virtualbox part ;-) ). If this is more than a test setup I would recommend using Xen or KVM for virtualisation (My production boxes run on top of Xen for about 6 years, and at home I use KVM (for running test setups) (was easier to set up on a Desktop machine), (used Virtualbox before (didn't have hardware support for KVM))). Hi Geza, hi everyone Thanks. Praise indeed coming from a dev of your status:) I'd still like to see s3fs cope with file serving on the DC itself, as it's sooo much easier to setup. What is wrong with Vbox? Is Xen any smaller or faster? Our DC has only 2GB RAM. Running a VM on top of is already asking a lot of it. Also we have rpm's for host and guest out of the box on openSUSE. Can you take snapshots on Xen like on Vbox and roll back when you screw up? On the NFS side of affairs I see it is impossible to create a group rw NFS4 share from a 0022 umask. The NFS devs seem unwilling or unable to do anything about it. Meanwhile the NFS3 Kerberos backport works well enough. Any ideas? A separate partition with a 0002 umask. Can I do that on the same disk? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
On 15/08/12 06:51, Gémes Géza wrote: 2012-08-14 23:15 keltezéssel, steve írta: On 12/08/12 17:45, Gémes Géza wrote: 2012-08-12 16:26 keltezéssel, steve írta: On 12/08/12 15:28, Gémes Géza wrote: 2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: What is wrong with Vbox? Is Xen any smaller or faster? Both smaller and faster (http://www.phoronix.com/scan.php?page=articleitem=ubuntu_1110_xenkvmnum=1), and unlike vbox both kvm and xen provide a way to boot your virtual machine at the boot of the host. Hi Thanks for the link. Unfortunately Vbox is the only VM which has 32bit support. The others need 64bit, which we don't have:( I'll ask on the openSUSE list to see if there is any workaround. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
On 15/08/12 10:39, Rowland Penny wrote: On 15/08/12 08:02, steve wrote: On 15/08/12 06:51, Gémes Géza wrote: 2012-08-14 23:15 keltezéssel, steve írta: On 12/08/12 17:45, Gémes Géza wrote: 2012-08-12 16:26 keltezéssel, steve írta: On 12/08/12 15:28, Gémes Géza wrote: 2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: What is wrong with Vbox? Is Xen any smaller or faster? Both smaller and faster (http://www.phoronix.com/scan.php?page=articleitem=ubuntu_1110_xenkvmnum=1), and unlike vbox both kvm and xen provide a way to boot your virtual machine at the boot of the host. Hi Thanks for the link. Unfortunately Vbox is the only VM which has 32bit support. The others need 64bit, which we don't have:( I'll ask on the openSUSE list to see if there is any workaround. Cheers, Steve Hello Steve, you seem to be working on the same thing as I am, using Samba4 as a domain controller. I initially tried your set up and found the problems that you have, this is where we seem to have forked off in different directions. You seem to be chasing using Winbind and NFS, whilst I went with Winbind and Pam_mount. I am only using one server running samba4, with Pam-mount I can mount any users unixhomedir (wherever that may be) from the server onto the clients (like windows profiles) via the use of groups and can also mount the dropbox share which shows up in the users home directory. If you are interested, I can supply you my notes to try it out yourself. Hi Rowland We ditched winbind totally in favour of the (much faster and predictable) nss-pam-ldapd. That coupled with NFS4 gets the job done albeit unofficially. Yes, thanks for the offer. We'd be interested to see/compare any alternatives. On a different note, we've only just discovered that s3fs is not yet ready as a fileserver and we have to split off from the DC and use a separate 3.6 box as the filer. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: rfc2307 compatibility with Samba3
On 12/08/12 17:45, Gémes Géza wrote: 2012-08-12 16:26 keltezéssel, steve írta: On 12/08/12 15:28, Gémes Géza wrote: 2012-08-12 09:31 keltezéssel, steve írta: On 08/11/2012 01:10 PM, Andrew Bartlett wrote: On Sat, 2012-08-11 at 11:21 +0200, Helmut Hullen wrote: Hallo, Andrew, Du meintest am 11.08.12: In Samba3, I have full rfc2307 compliance via winbind where all attributes can be obtained from AD. In Samba4 I only have partial rfc2307 compatibility with: idmap_ldb:use rfc2307 = yes uidNumber and gidNumber can be obtained from AD but uinxHomeDirectory and loginShell are missing. [...] At this stage, we still don't recommend combining file server and DC functions. By separating these functions onto different (virtual) servers, you can avoid this issue. Sorry - that sounds ugly. I prefer using samba as a combined system for SOHO (especially for schools). And working with several servers (especially virtual servers) is not attractive for someone who looks for the server as a second or third job, beneath his/her main job. I would rather advertise a narrower, known to work set of functionality than to promise broader features than we know works well in production experience. In particular, we know about the limitations that Steve mentions, and we know the workaround: don't mix the file server and AD DC. Andrew Bartlett Hi Does this mean having one Samba4 machine as the DC and another Samba4 (e.g. Vbox) machine joined to it as a member to act as fileserver? Cheers, Steve If you don't want to use the second box interactively yes, if you intend to login there, or have home directories served from there better install Samba3.6 on it. Regards Geza Hi Geza, hi everyone OK, conclusion. I have a single box with s4 DC. The same same box with a Vbox guest running S3.6, and NFS. The S4 DC becomes a NFS client when I mount the shares from the Vbox guest on it. I create users and their home directories on the DC. Files are served from the S3 Vbox guest. The DC has no shares apart from [global], [netlogon] and [sysvol]. The s3 guest carries all the shares I would normally add after the 3 default DC shares. Instead of using the hostname of the DC when I mount shares on remote clients, I use the hostname of the S3 Guest. How am I doing so far? Cheers, Steve Hi, IMHO what you've written could be a short HOWTO for using Samba4 in a network Geza, How do I tell xp and 7 clients to look at the virtual s3.6 machine as fileserver? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 DC with Samba3 file-server howto
Hi I have a Samba4 DC (hh30.hh3.site, 192.168.1.30) and a Samba3 VM on the same box (hh33.hh3.site, 192.168.1.33). How do I tell XP and 7 clients to look at the S4 DC for authentication and the S3 fileserver for files? It already does the authentication bit OK. It's mainly the second part of the question as to how to instruct the m$ boxes to look at the file-server rather than the DC for files. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain Admin cannot access files
Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 DC with Samba3 file-server howto
On 15/08/12 17:47, Gémes Géza wrote: 2012-08-15 13:02 keltezéssel, steve írta: Hi I have a Samba4 DC (hh30.hh3.site, 192.168.1.30) and a Samba3 VM on the same box (hh33.hh3.site, 192.168.1.33). How do I tell XP and 7 clients to look at the S4 DC for authentication and the S3 fileserver for files? It already does the authentication bit OK. It's mainly the second part of the question as to how to instruct the m$ boxes to look at the file-server rather than the DC for files. Cheers, Steve Hi, It depends on what you mean by having to look at. On way is to write some logon scripts, by which they would map the shares as drives (of course that suppose to have the Samba3 boxes joined to the AD of Samba4). If you intend to share some home directories, then create the home share on Samba3 and specify the homepath for each user as \\samba3servershostname\%USERNAME% and a homedrive according to your taste (I had chosen U: (about 10 years ago (Samba 2.2.something))). If you want to redirect some folders (e.g. Documents, Desktop, etc.) you can do that by firing up the group policy editor and specifying the redirects there. Regards Geza Hi Geza Thanks for the clue. I specified homeDrive: Z: homeDirectory: \\hh32\home\user profilePath: \\hh32\profiles\user Is that what you mean? If so, it works. That's great for users, but Administrator can't access the shares. He always gets a logon prompt. Even with the correct username and password he still cannot access any share on \\hh32 Anyway, great news for the users. Need to get Administrator sorted out. Cheers and thanks again, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Admin cannot access files
On 15/08/12 23:51, Rowland Penny wrote: On 15/08/12 22:10, Gémes Géza wrote: 2012-08-15 18:59 keltezéssel, steve írta: Hi I just joined a Samba 3.6.3 machine as a file server for a Samba4 domain. Normal users can login and reach the shares apart from the domain Administrator. After Administrator has logged in, any attempt to reach the file server results in a username and password prompt. Supplying the correct information still will not allow share access for Administrator. Using s3fs under Samba4, Administrator is allowed full access without being asked for a password. What am I missing? Cheers, Steve [global] workgroup = MARINA realm = hh3.site security = ADS [home] path = /home2/MARINA read only = No [staff] path = /home2/staff read only = No IF this is a Samba3 config file, you DO NOT need to specify a path for a [homes] share. That way (a correctly configured Samba3 box (HERE COMES winbind into PLAY!)) will give each user its own home share. I've pasted a default [homes] section from an ubuntu 12.04 box (I'm using it only for running winbind on it to allow login of domain users, no samba running on that box), as you can see it is still commented out: ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. Un-comment the following parameter # to make sure that only username can connect to \\server\username # The following parameter makes sure that only username can connect # # This might need tweaking when using external authentication schemes ; valid users = %S Regards Geza Gemes He is not exporting the samba homes share, he is exporting a share called [home], that is why he needs the path statement. Administrator on my samba4 server is a member of: Group Policy Creator Owners Enterprise Admins Schema Admins Domain Admins So unless your shares are owned by Administrator or one of his groups or are set xx7, I do not think he should be able to get into the shares. Rowland Hi Geza, Rowland, everyone openSUSE 12.1 Samba 4.0.0beta7-GIT 9566786 DC Samba 3.6.3 file server on Vbox [homes] is not the same as [home] I do not want the restriction of [homes] with all home directories all having to be in the same folder. With s3fs, Administrator has full control over all the shares. What I'm trying to do is convert this on S4 s3fs (which works perfectly): [global] server role = domain controller workgroup = ALTEA realm = hh3.site netbios name = HH1 passdb backend = samba4 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home2 read only = No [profiles] path = /home2/profiles read only = No To something equivalent on S3 smbd. This is what I have so far: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config ALTEA:schema_mode = rfc2307 idmap config ALTEA:range = 2-4000 idmap config ALTEA:backend = ad idmap config * : backend = tdb [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No create mask = 0600 directory mask = 0700 store dos attributes = Yes It works, but it's slow and roaming profiles sometimes work, sometimes not. And Administrator has no control over permissions. No one on m$ has control over anything in fact. Could anyone give me a full s3fs to S3 smbd translation? Is there a tool to do so? Going from smbd to s3fs is documented, but this seems to be breaking new territory. . . What am I missing in my smb.conf translation to make this as fast and as reliable as s3fs? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] S4 DC S3 file server: samba-tool and net ads user problems
Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
On 16/08/12 19:32, Gémes Géza wrote: 2012-08-16 18:53 keltezéssel, steve írta: Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve Hi, I'm not sure I've understand your situation, so please correct me if I'm wrong. You have 3 computers: 1. Samba4 (everything work to the amount permitted by its winbind implementation) Does winbindd have to be running on this DC? I thought it didn't matter whether it was or it wasn't. I use nss-ldapd for mapping on this box as the S4 winbindd seems to be broken for groups. 2. Samba3 (everything works, including having homedirs and shells obtained via winbind from AD) Yes. The home director shares are all on this box 3. Samba3 (where do you intend to have home directories, and could not list users) No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver. Here is the conf which works on box2: [global] realm = hh3.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No However, m$ machines cannot write to the shares even though they are correctly listed as having the correct permissions and ownership. If that is the situation you could simply copy the config from second box to third one, and add a [homes] share and everything should work. If not, in a previous e-mail of you've already wrote the samba config needed for having a working winbind with idmap_ad. On think I've learned the hard way: if any of the gidNumbers of a group a user belongs to is out of the range you've specified in your smb.conf for your domain that user is going to be invisible (I've avoided it with a range = 0-1000). If you have winbind installed by package I would try to delete /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
On 08/16/2012 08:56 PM, Gémes Géza wrote: 2012-08-16 20:07 keltezéssel, steve írta: On 16/08/12 19:32, Gémes Géza wrote: 2012-08-16 18:53 keltezéssel, steve írta: Here is the conf which works on box2: [global] realm = hh3.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No The following are for the Samba3 box: Does net ads testjoin reports join ok? wbinfo -u lists all the users? wbinfo -g lists all the groups? wbinfo -i some_username is able to list all user info? Have you changed your /etc/nsswitch.conf to have? passwd:files winbind group: files winbind (others doesn't realy matter) does id some_username and getent passwd some_username give meaningless results? If all the above yes, have you checked, that the shared folder permits write access for the above some_username (from linux shell first)? Hi Geza, Rowland, everyone OK I found it. The answer to all the above is yes. I did one furcher check with getent group which does _not_ return AD groups. getent group ALTEA\\group_name does however work. Anyway I found the problem. Here is a user with rfc2307: dn: CN=steve2,CN=Users,DC=hh3,DC=site cn: steve2 instanceType: 4 whenCreated: 20120812101809.0Z uSNCreated: 3845 name: steve2 objectGUID: 30cef31e-fba8-418a-a0e7-293ddf232c7e badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-643408982-184040625-1139712187-1123 logonCount: 0 sAMAccountName: steve2 sAMAccountType: 805306368 userPrincipalName: ste...@hh3.site objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site pwdLastSet: 1298924029 uidNumber: 324 gidNumber: 20513 unixHomeDirectory: /home2/home/steve2 loginShell: /bin/bash homeDrive: Z: objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 66048 accountExpires: 0 homeDirectory: \\hh30\home\steve2 profilePath: \\hh30\profiles\steve2 whenChanged: 20120816093724.0Z uSNChanged: 4030 distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site hh30.hh3.site is the S4-DC and and hh32.hh3.site is the S3-file server. Note that the entries for: homeDirectory: \\hh30\home\steve2 profilePath: \\hh30\profiles\steve2 point to the DC _not_ the file server DOH! I changed the entries to: homeDirectory: \\hh32\home\steve2 profilePath: \\hh32\profiles\steve2 and home directories and profiles became meaninful once again :) Not an easy one that. The error came because I was using the two existing machines to to switch from s3fs all on one box to S4/S3 on two separate boxes. THanks everyone for staying with me on this. I must say I prefer the DC with s3fs on one box. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads user add: Can we prompt for a password?
Hi In a script I have this: net ads user add $1 net ads password $1 some-pwd -UAdministrator%admin-pwd 1. Can I get net ads to prompt for a new password? 2. Is there any way I can avoid having the admin-pwd in the script? Administrator has a ticket but still it fails if I do not supply the pwd. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads user add: Can we prompt for a password?
On 17/08/12 08:47, steve wrote: Hi In a script I have this: net ads user add $1 net ads password $1 some-pwd -UAdministrator%admin-pwd 1. Can I get net ads to prompt for a new password? 2. Is there any way I can avoid having the admin-pwd in the script? Administrator has a ticket but still it fails if I do not supply the pwd. Cheers, Steve Hi again When I create a user, it says his account is disabled. If I go to the DC and:ç samba-tool user setexpiry steve10 --noexpiry It still says that the user is disabled. Why is this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] XP Administrator has no access to shares
Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
On 17/08/12 13:17, Gémes Géza wrote: 2012-08-17 11:44 keltezéssel, steve írta: Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve First: the Windows in the security model Administrator=root from the Unix world it is just a predefined account memeber of the Administrators or in a domain of the Domain Admins group and that gives access , so you could do all the management operation from any other user account member of the Domain Admins group. Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be wrong) needs that the connected user have a valid uid/gidnumber in order to be able to check the posix acl permissions, so if you want to connect to a Samba3 box with Administrator, first give it all the posix attributes you've give to the other user accounts (however it doesn't need a unixHomedirectory or loginshell if you won't login e.g. via ssh as Administrator) Regards Geza Gemes Hi Geza OK. Domain Admins and Domain Users have posixGroup and gidNumber. They show on getent passwd name of group I login to XP as Administrator. I can do stuff like unjoin the domain and change the DNS address but I cannot access the shares. Is there a user in m$ that is like the root user in Linux? Should domain admins have a gidNumber of 0 (zero)? Should domain admins also have a posixAccount with a uidNumber of 0 (zero)? What am I missing? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
On 18/08/12 23:00, Gémes Géza wrote: 2012-08-18 08:48 keltezéssel, steve írta: On 17/08/12 13:17, Gémes Géza wrote: 2012-08-17 11:44 keltezéssel, steve írta: Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve First: the Windows in the security model Administrator=root from the Unix world it is just a predefined account memeber of the Administrators or in a domain of the Domain Admins group and that gives access , so you could do all the management operation from any other user account member of the Domain Admins group. Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be wrong) needs that the connected user have a valid uid/gidnumber in order to be able to check the posix acl permissions, so if you want to connect to a Samba3 box with Administrator, first give it all the posix attributes you've give to the other user accounts (however it doesn't need a unixHomedirectory or loginshell if you won't login e.g. via ssh as Administrator) Regards Geza Gemes Hi Geza OK. Domain Admins and Domain Users have posixGroup and gidNumber. They show on getent passwd name of group I login to XP as Administrator. I can do stuff like unjoin the domain and change the DNS address but I cannot access the shares. Is there a user in m$ that is like the root user in Linux? Should domain admins have a gidNumber of 0 (zero)? Should domain admins also have a posixAccount with a uidNumber of 0 (zero)? What am I missing? Cheers, Steve Hi Steve, First check if the user has permissions on the box running samba3 Second check if you have in the share definition any of valid user, write list, read list, readable, writable paramaters Regards Geza Gemes Hi Géza Thanks for your patience. Lets take this share: [home] path = /home2/home read only = No 1. Could you tell me what I need to add to enable Administrator to have full control over it? 2. is there a user in the Domain (like root in Linux) who has control over everything? Shares, users, network, the lot? 3. Is there a global way of enabling Administrator to be allowed write acess and be able to change permisiions and acl's from the scurity tab? Or must this be done on a per share basis. I made one change to the [global] section: winbind use default domain = Yes This drops the ALTEA\ part of the name. Otherwise users cannot authenticate via Kerberos because PAM passes the name as ALTEAuser rather than ALTEA\user to the KDC. with the default domain line it passes the name correctly as just name and krb5 auth works again. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
On 20/08/12 09:42, Gémes Géza wrote: Hi Steve, Answers below Hi Géza Thanks for your patience. Lets take this share: [home] path = /home2/home read only = No 1. Could you tell me what I need to add to enable Administrator to have full control over it? Hi Geza I think I just understood it. It has all started working. The most probable cause of not having access is that Administrator has no access to the underling filesystem, so I would do a setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home It could have two results: 1. everything starts working, 2. it complains, that couldn't find user Administrator which indicates, that you should review your winbind and nsswitch config. setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home Now Administrator can write to /home2/home and any directory under it. Brilliant. Administrator must have posixAccount, uidNumber and gidNumber for this to work. 2. is there a user in the Domain (like root in Linux) who has control over everything? Shares, users, network, the lot? NO Not even with a m$ server? --- --- --- As always we are indebted to your patience and time spent with us on the issue. This is a bit off thread, but could you specify any budget hardware/minimum Samba4 DC Samba3 fileserver server requirements for a college of 2000 students sharing 150 duel boot KDE/w7? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
On 20/08/12 10:45, steve wrote: On 20/08/12 09:42, Gémes Géza wrote: setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home Hi Géza Sorry to be a pain but there is a slight problem with the acl All folders under /home2/home now have e.g.: drwxrwxr-w+ 20 steve2 domain users and files have: -rw-rwx---+ steve2 domain users which means somehow, group rw has been set for everything: steve@hh32:/home2 getfacl home # file: home # owner: root # group: root user::rwx user:administrator:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:administrator:rwx default:group::r-x default:mask::rwx default:other::r-x Is there a way to correct this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] server hardware
On 20/08/12 10:59, Helmut Hullen wrote: Hallo, steve, Du meintest am 20.08.12: This is a bit off thread, but could you specify any budget hardware/minimum Samba4 DC Samba3 fileserver server requirements for a college of 2000 students sharing 150 duel boot KDE/w7? Where's the problem? Such configurations need a machine with 2 GHz CPU, 4 GByte RAM and (better) 2 or 4 NICs. No machine with a server label. Here in germany many schools (especially vocational schools) run Samba 3.x since many years for more than 1000 pupils and 100 to 200 clients. And since many months with private smartphones too (connected via WLAN). The samba load (for directories on the server) is most times small, squid bears a much bigger load (for surfing). The biggest samba problem seems to be where and how to store the user's profile. Viele Gruesse! Helmut Hi Helmut Thanks for taking on the thread. You give me encouragement in that the hardware requirements seem low. In fact we have been using 2 old laptops running from 16GB usb pendrives as our replicating DC's serving 10 client boxes no trouble at all. I see the main problem (and probably cost too) in the file server and redundancy. As the infrastructure is already in place (it's a 6 year old installation with cables everywhere) we need to make a decision on how to serve, store and backup files. We have a low budget and have looked at raid, a DRDB cluster and just rsyncing out to a backup server at regular intervals, switching cables and doing an IP takeover when the main fileserver goes down. Just thinking out loud. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
On 20/08/12 21:17, Gémes Géza wrote: 2012-08-20 11:09 keltezéssel, steve írta: On 20/08/12 10:45, steve wrote: On 20/08/12 09:42, Gémes Géza wrote: setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home Hi Géza Sorry to be a pain but there is a slight problem with the acl All folders under /home2/home now have e.g.: drwxrwxr-w+ 20 steve2 domain users and files have: -rw-rwx---+ steve2 domain users which means somehow, group rw has been set for everything: steve@hh32:/home2 getfacl home # file: home # owner: root # group: root user::rwx user:administrator:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:administrator:rwx default:group::r-x default:mask::rwx default:other::r-x Is there a way to correct this? Cheers, Steve Hi If I understand your problem you didn't like the fact that the group domain users have write and read rights, isn't it? You can change those rights with setfacl for example. Regards Geza Gemes Hi Géza Actually this works. It denies group rw access _even though_ in a file listing with ls -l files show as: Set the acl like you suggested: setfacl -R -m u:Administrator:rwx,d:u:Administrator:rwx /home2/home Files now appear like this: -rwxrwx--x+ It looks as though they are group rw but in actual fact, they behave like this: -rwxr-x--x Conclusion: Don't believe what the file listing shows. It doesn't seeem to be wysiwyg. The only way you can really see access rights is to do a getfacl. Does that seem OK? Does anyone else observe this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 is it possible to change the IP of a DC?
On 20/08/12 22:47, Hleb Valoshka wrote: I changed IP of DC but from windows box using administrative tools from 2003. Hi So that should work against a Sama4 DC no? Was that from Active Directory Users and Computers? I had a quick look there but couldn't find it. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 successful deployment
On 22/08/12 19:35, fe...@epepm.cupet.cu wrote: I've just installed samba4 beta 7 with defaults and everything went OK. As I download bind9.9.1 tarball and compiled it I had to follow steve's advice: to declare we'll be using DLZ_DLOPEN_VERSION 2 in /samba-master/source4/dns_server/dlz_minimal.h /*#ifdef BIND_VERSION_9_8 #define DLZ_DLOPEN_VERSION 1 #else #define DLZ_DLOPEN_VERSION 2 #endif */ #define DLZ_DLOPEN_VERSION 2 I commented the first block and then added the second block explicitly to avoid a message complaining about DLZ_DLOPEN_VERSION. GPOs seem to be working OK. DNS secure automatic updates are working OK too. I've been using: Debian 6 samba4 beta 7 bind9.9.1-P1 ntp4.2.6p5 Best regards, Felix. Hola Felix Ya con beta7 no hace falta cambiar el código fuente. Basta con seleccionar la versión de bind, editando named.conf en la carpeta private. ¡Un poquitín menos trabajo para nosotros jejeje! --- --- --- Not necesssary. Just change the bind version in the private directory in named.conf. Salu2, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] where to locate smb.conf for Samba4
Hi If I run the samba binary from a git and do a default install, I find smb.conf in /usr/local/samba/etc/smb.conf Fine. What about running the separate smbd, nmbd and winbindd binaries instead of samba? Do I still write my smb.conf in /usr/local/samba/etc/smb.conf? Question/summary/comment Could anyone please confirm where is smb.conf for: 1. Samba4 AD 2. Samba4 winthout AD running smbd, nmbd and winbindd in the sbin directory. 3. For distros with 3.x, I don't have to install Samba4 at all and find smb.conf in /etc/samba/smb.conf Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.6.6 shares show as samba 3.6.3
Hi I just upgraded my file server from 3.6.3 to 3.6.6. In windows explorer, new shares show up as samba 3.6.6 but ones I created before the upgrade still show the old version, 3.6.3. The DC is Samba4 Is this fixable? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 how to provision as simply a member of a domain
Hi I want to try out the Samba 4 versions of smbd, nmbd and winbindd (not samba and not as a DC) on a box which I shall join to an existing domain. How do I provision it? Or don't I and just join it using samba tool domain join? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 how to provision as simply a member of a domain
On 24/08/12 10:47, Rowland Penny wrote: On 24/08/12 09:28, steve wrote: Hi I want to try out the Samba 4 versions of smbd, nmbd and winbindd (not samba and not as a DC) on a box which I shall join to an existing domain. How do I provision it? Or don't I and just join it using samba tool domain join? Cheers, Steve Hi Steve, You could try 'net ads join', the net command is there in /usr/local/samba/bin and this is the command that would be used from a samba 3 domain member, but I must say that I haven't yet tried this. Rowland Hi Rowland Yes, thanks I could alwasy do that but I thinking more of a samba'tool domain join method, as a member, not a dc. Anyone had any experience iof this? It looks too straightforaer to me. I must have missed something Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
On 30/08/12 18:57, Gaiseric Vandal wrote: I use apache directory studio for LDAP management. It is not samba specific but it is easy enough to use existing user, group or machine objects as templates for new ones. It runs on Windows and Linux (and maybe on Mac.) On 08/25/12 16:39, John Drescher wrote: On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno ports...@gmail.com wrote: Guys. I have use smbldap-tools to handle my accounts for my PDC with samba+openldap. Now, I ask here because a lot of people have PDC running on their networks, what tools do u use to manage your openldap db for samba: users, machines, groups? Working with Centos 6.x. Any input will be appreciated, thanks!!! I use ldap account manager to manage my users / machines / group accounts. John Hi openSUSE's yast has a really nice and little known frontend to LDAP which handles samba objects too. You can point and click your way through adding/deleting samba specific users and groups. It also has an LDAP browser similar to phpldapadmin. I'm not sure if Yast will fire up on Centos but may be worth a look. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] update to 3.6.7: roaming profiles no longer work
Hi everyone I upgraded from a working 3.6.3 openSUSE installation to their new 12.2 samba version 3.6.7. It has broken the windows roaming profiles and mapped homeDrive's coming from a Samba4 AD. I'll not bore you with the (very basic) config but just to ask if anyone else has experienced this. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows boxes cannot find the file server
Hi I have a Samba4 AD running samba and a Samba3 machine joined to the domain as a file server. I have smbd and winbind running on the samba3 box. Samba4: hh30.hh3.site Samba3: hh32.hh3.site I can browse the shares (netlogon and sysvol) on the S4 machine by typing \\hh30 into explorer but if I type \\hh32 I get: Windows cannot find '\\hh32'. Check the spelling. . .etc. When I start nmbd on the server I get: The security database on the server does not have a computer account for this workstation trust relationship. Here is the config on the S3 fie server: [global] preferred master = Yes workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = ad idmap config *:range = 2500-3000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = Yes usershare allow guests = No realm = HH3.SITE winbind refresh tickets = yes [profiles] path = /home2/profiles read only = No [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No Question: How do I get the windows machines to look for the fileserver as well as the DC? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows boxes cannot find the file server [SOLVED]
On 03/09/12 10:46, Rowland Penny wrote: On 03/09/12 08:41, steve wrote: How do the clients get their ipaddresses? are they fixed or supplied by DHCP? what nameserver are they pointed at? does this nameserver know about hh32? Hi Rowland. Hi everyone Your reply gave me the clue I needed. When the fileserver joined the domain I got a DNS update error that the update for hh32 failed. I made it a fixed IP and added an A record hh32.hh3.site and the CNAME hh32 to the DC using samba-tool. Now it works although it worries me that net ads join on a Linux box does not update DNS correctly. For the record (jejeje) I may add that adding Linux clients that are DHCP (i.e. not crucial file servers) also get the same failed DNS update message upon joining, but thereafter work fine. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows boxes cannot find the file server [SOLVED]
On 03/09/12 11:56, Rowland Penny wrote: On 03/09/12 10:37, steve wrote: On 03/09/12 10:46, Rowland Penny wrote: On 03/09/12 08:41, steve wrote: Hi Steve, I cheat , my ddns server is running on my Samba4 server ;-) Rowland Hi Rowland Well, that's better than us. I use our (buy-2-get-one-free-at-the-local-supermarket brand) ADSL router. Yeah, I know. It's just plain lazy. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP Account Manager 3.9.RC1 released
On 10/09/12 20:11, Roland Gruber wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 LDAP Account Manager (LAM) 3.9.RC1 - September 10th, 2012 = LAM is a web frontend for managing accounts stored in an LDAP directory. Can it be used to upgrade the Samba4 schema? automount maps would be very nice. Here is the ldif. If it does, I'll buy it and you guys a round of cool beers. Cheers, Steve dn: CN=automountMapName,CN=Schema,CN=Configuration,DC=YOURDOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.31 cn: automountMapName name: automountMapName lDAPDisplayName: automountMapName description: automount Map Name attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE dn: CN=automountKey,CN=Schema,CN=Configuration,DC=YOURDOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.32 cn: automountKey name: automountKey lDAPDisplayName: automountKey description: Automount Key value attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE dn: CN=automountInformation,CN=Schema,CN=Configuration,DC=YOURDOMAIN objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.1.1.1.33 cn: automountInformation name: automountInformation lDAPDisplayName: automountInformation description: Automount information attributeSyntax: 2.5.5.5 oMSyntax: 22 isSingleValued: TRUE dn: CN=automountMap,CN=Schema,CN=Configuration,DC=YOURDOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.2.16 cn: automountMap name: automountMap lDAPDisplayName: automountMap subClassOf: top objectClassCategory: 1 mustContain: automountMapName mayContain: description defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,DC=YOURDOMAIN dn: CN=automount,CN=Schema,CN=Configuration,DC=YOURDOMAIN objectClass: top objectClass: classSchema governsID: 1.3.6.1.1.1.2.17 cn: automount name: automount lDAPDisplayName: automount subClassOf: top objectClassCategory: 1 description: Automount information mustContain: automountKey mustContain: automountInformation mayContain: description defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,DC=YOURDOMAIN -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc1 Available for Download
On 13/09/12 12:40, Karolin Seeger wrote: Release Announcements Is the Internal DNS now the default? I upgraded from beta 8 and could only get the samba binary to work if I stopped by distro's bind configured with bind dlz Here it is with bind working: failed to bind to fe80::212:f0ff:fe06:9cda%eth1:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED task_server_terminate: [dns failed to setup interfaces] standard_terminate: reason[dns failed to setup interfaces] /usr/local/samba/sbin/smbd: smbd version 4.1.0pre1-GIT-9158423 started. If I turn off bind, I lose my Internet connection. Please be clear. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc1 Available for Download
On 13/09/12 18:47, Rowland Penny wrote: On 13/09/12 17:34, steve wrote: On 13/09/12 12:40, Karolin Seeger wrote: Release Announcements Is the Internal DNS now the default? I upgraded from beta 8 and could only get the samba binary to work if I stopped by distro's bind configured with bind dlz Here it is with bind working: failed to bind to fe80::212:f0ff:fe06:9cda%eth1:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED task_server_terminate: [dns failed to setup interfaces] standard_terminate: reason[dns failed to setup interfaces] /usr/local/samba/sbin/smbd: smbd version 4.1.0pre1-GIT-9158423 started. If I turn off bind, I lose my Internet connection. Please be clear. Cheers, Steve Hi Steve, yes the internal dns server is now the default, is that clear enough ;-) Not for us. No. we need to what to do and what to change to make it the default. Just tell us. Yes, you have a choice but how? Answered in my last inline. And it gets worse, Yeah, I know it does. Try explaining it to 10 irate Spaniards. Thanks Rowland No. That's the point. Having followed the discussions for the last week it seemed highly unlikely Kai would get anywhere near the RC1. It doesn't add a forwarder nor interfaces line nor warn you that after the upgrade to the RC you have to work out how to add these yourself. And lets be fair, it most probably would do if we built and provisioned from new. I've 2000 + users just started a new term over here and I want to move forward, not roll back. Ah well, the air-con goes off in 10 minutes and I'm going home;) Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc1 Available for Download
On 13/09/12 20:17, Rowland Penny wrote: On 13/09/12 18:33, steve wrote: On 13/09/12 18:47, Rowland Penny wrote: On 13/09/12 17:34, steve wrote: On 13/09/12 12:40, Karolin Seeger wrote: Release Announcements Is the Internal DNS now the default? I upgraded from beta 8 and could only get the samba binary to work if I stopped by distro's bind configured with bind dlz Here it is with bind working: failed to bind to fe80::212:f0ff:fe06:9cda%eth1:53 TCP - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED task_server_terminate: [dns failed to setup interfaces] standard_terminate: reason[dns failed to setup interfaces] /usr/local/samba/sbin/smbd: smbd version 4.1.0pre1-GIT-9158423 started. If I turn off bind, I lose my Internet connection. Please be clear. Cheers, Steve Hi Steve, yes the internal dns server is now the default, is that clear enough ;-) Not for us. No. we need to what to do and what to change to make it the default. Just tell us. Yes, you have a choice but how? Answered in my last inline. And it gets worse, Yeah, I know it does. Try explaining it to 10 irate Spaniards. Thanks Rowland No. That's the point. Having followed the discussions for the last week it seemed highly unlikely Kai would get anywhere near the RC1. It doesn't add a forwarder nor interfaces line nor warn you that after the upgrade to the RC you have to work out how to add these yourself. And lets be fair, it most probably would do if we built and provisioned from new. I've 2000 + users just started a new term over here and I want to move forward, not roll back. Ah well, the air-con goes off in 10 minutes and I'm going home;) Cheers, Steve Steve, if you download the RC1 from http://ftp.samba.org/pub/samba/rc/samba-4.0.0rc1.tar.gz compile it as usual and then provision, but with the new style provision: samba-tool domain provision --realm=your realm --domain=YOURDOMAIN --adminpass=pass --use-rfc2307 --server-role=dc You will end up using the internal dns server, this puts a forwarder into smb.conf and works provided that you put the servers ipaddress into /etc/resolv.conf not 127.0.0.1 Rowland Hi Rowland Thanks for that but I can't reporovision. Who can? I have 150 linux, xp and w7 clients to support. I simply cannot start from bare metal. To be able to do that I would have to have a reliable backup. Evidently neither the backup scripts in samba-master nor rsync can do that at the moment. (secretly hopes someone can confirm otherwise) Anyway. Early days. Again! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Printing from Samba4
Hi I have a printer connected to a Samba4 AD machine. I set it up using CUPS. It works fine. Is there a howto as to what I need to add to smb.conf to be able to print from windows boxes connected to the domain? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Printing from Samba4
On 27/09/12 22:25, Florian Scholz wrote: try http://wiki.samba.org/index.php/Samba4/HOWTO#Step_13:_Setup_a_Printer_share 2012/9/27 steve st...@steve-ss.com mailto:st...@steve-ss.com Hi I have a printer connected to a Samba4 AD machine. I set it up using CUPS. It works fine. Is there a howto as to what I need to add to smb.conf to be able to print from windows boxes connected to the domain? Hi Thanks for the link. I can see the printer (HP Deskjet F2200) in Printers and Faxes without doing anything. I can send files to it too but nothing prints. The files I send appear in the print queue and disappear as if they have been spooled. I think the problem is tha I can't install a windows driver for it: Everything is OK until step 4 Click File - Server Properties Here, everything is greyed out So I can't do step 5: On the Drivers Tab, Click 'Add...', then 'Next' because 'Add. . .' is greyed out. It's as if the Domain Administrator does not have permission to do anything from a client. Any ideas where I can check? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 ADC cannot edit GPO with W2K3
On 28/09/12 13:27, fe...@epepm.cupet.cu wrote: Try: /usr/local/samba/bin/samba-tool ntacl sysvolcheck and if it yields some error then: /usr/local/samba/bin/samba-tool ntacl sysvolreset It worked for me. Hi Exactly the same GPO creation error here. Here are the outputs from the samba4 git build today: samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/hh3.site/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 170, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1578, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1530, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1480, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) and: samba-tool ntacl sysvolreset set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER. ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 170, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 214, in run lp, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1468, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1405, in set_gpos_acl str(domainsid), use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1369, in set_dir_acl setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py, line 108, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) Do we have to reprovision in this case? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Why smbd (version 4.1.0) uses source3/smbd/server.c not source4/smbd/server.c
On 29/09/12 02:45, Jun Yi wrote: Dear everybody, Could anybody told me the reason? Does the code of samba 3 and samba 4 mix together in the master branch. How can I let smbd be compiled from source4/smbd/server.c? Thanks and Have a good weekend Jun The following is what I got from the command line: junyij-2.desktop$ ./smbd [2012/09/28 17:36:18, 0] ../lib/util/debug.c:592(reopen_logs_internal) Unable to open new log file '/usr/local/samba/var/log.smbd': Permission denied [2012/09/28 17:36:18, 0] ../source3/lib/dumpcore.c:249(dump_core_setup) Unable to setup corepath for smbd: Operation not permitted [2012/09/28 17:36:18, 0] ../lib/util/debug.c:592(reopen_logs_internal) Unable to open new log file '/usr/local/samba/var/log.smbd': Permission denied [2012/09/28 17:36:18, 0] ../source3/smbd/server.c:1182(main) smbd version 4.1.0pre1-DEVELOPERBUILD started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2012/09/28 17:36:18, 0] ../source3/smbd/server.c:1197(main) error opening config file '/usr/local/samba/etc/smb.conf' junyij-2.desktop$ ./smbd -V Version 4.1.0pre1-DEVELOPERBUILD Hi Try running it as root instead. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error in RC1
On 04/10/12 18:38, fe...@epepm.cupet.cu wrote: I'm getting this error continuosly: 2012/10/04 12:36:08, 0] ../source4/smbd/process_single.c:56(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES [2012/10/04 12:36:09, 0] ../source4/smbd/process_single.c:56(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES [2012/10/04 12:36:10, 0] ../source4/smbd/process_single.c:56(single_accept_connection) single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES single_accept_connection: accept: NT_STATUS_TOO_MANY_OPENED_FILES What can I do to solve it? Cheers, Felix. Hi Try starting samba something like: samba -i -d3 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Libreoffice and roaming profile log-off delay
samba --version Version 4.0.0rc3-GIT-56ffe75 AD and s3fs on the same box. libreoffice 3.6.1 Hi If a user has used libreoffice, his log-off time is around 3 minutes on both XP and w7. samba shows 50% and smbd shows 20% CPU usage during the delay. I can get the delay down to around 2 minutes by removing all of the optional libreoffice modules (such as the wiki publisher). The delay is less for subsequent log-off's but still a pita. Questions: When the user logs off, is the profile synced to the file server or is the whole lot copied again? Any ideas to work around this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 05/10/12 09:44, Denis Cardon wrote: Hi Mario, As I configured the Roaming profiles under linux, it more or less generate an abnormal operation (in less than 2 mins) if I add/copy some files to the home directory. But for Windows XP and Windows 7 is running smoothly and it generates folders at the Samba4 server location with corresponding users. e.g. Administrator (for XP), and Administrator.V2 (for Win7/2008) based on my observations. I'm interested in the way you configured the roaming profile on the linux side. Did you use csync for the synchronisation? I've looked at it in the past and didn't found any straight away solution. Anyway, I guess there should be some kind of Administrator.linux profile directory on the server side since the ubuntu profile won't be compatible from windows to linux (those profiles are not even compatible between winxp and win7...) Cheers, Denis I was confused on roaming under linux (or maybe it was not yet supported), because once I login as the administrator (one account in Samba4 - AD user) in linux, adding (files to the desktop) or modifying (I used to move to the home directory). Then login to the Windows 7 and WinXP, it will NOT login when I see the logs of the server using -d3 Kerberos: Client sent patypes: encrypted-timestamp, 128 Kerberos: Looking for PKINIT pa-data -- administrator@UCHIHA Kerberos: Looking for ENC-TS pa-data -- administrator@UCHIHA Kerberos: Failed to decrypt PA-DATA -- administrator@UCHIHA (enctype arcfour-hmac-md5) error Decrypt integrity check failed Kerberos: Failed to decrypt PA-DATA -- administrator@UCHIHA Kerberos: AS-REQ administrator@UCHIHA from ipv4:192.168.150.135:3064 for krbtgt/UCHIHA@UCHIHA But for a few minutes, you can login again and this time it will display at the system tray (a dialog box) User Profile Service There was a problem with your roaming profile. You have been logged on with your previously saved local profile. Please see the event logs for details or contact your administrator, but those files are just only few bytes (less than 1MB) just the pam.d files. The saved files are not located either of Windows XP or 7. auth_check_password_send: Checking password for unmapped user [UCHIHA]\[administrator]@[\\AMBOT-LINUX] auth_check_password_send: mapped user is: [UCHIHA]\[administrator]@[\\AMBOT-LINUX] ntlm_password_check: NTLMv2 password check failed ntlm_password_check: Lanman passwords NOT PERMITTED for user administrator ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user administrator auth_check_password_recv: sam_ignoredomain authentication for user [UCHIHA\administrator] FAILED with error NT_STATUS_WRONG_PASSWORD schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/AMBOT-LINUX auth_check_password_send: Checking password for unmapped user [UCHIHA]\[administrator]@[\\AMBOT-LINUX] auth_check_password_send: mapped user is: [UCHIHA]\[administrator]@[\\AMBOT-LINUX] Got a dns update request. Update not allowed for unsigned packet. Tkey handshake completed Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] But after a 20mins, coz I went somewhere. It goes to normal again. I conclude that Linux (Ubuntu 12.04) roaming profiles is not yet implemented in Samba4 RC2 - Centos 6.3. Other observation, Windows7 machine is not detected in the network, but WinXp and Ubuntu machines are visible. Any ideas how to implement roaming profile under Linux as the clients? Cheers, Mario Hi It's working here with Version 4.0.0rc3-GIT-56ffe75 All we do to set up the roaming profile on Linux is to add the attribute: profilePath: \\server\profiles\steve2 to the user DN entry in LDAP. and whilst we're there we also map his windows home directory to his Linux home directory: homeDrive: Z: homeDirectory: \\server\home\steve2 Make sure that the profiles share is writeable by the users. We chmod 1777'd it. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Picking the right installer
On 05/10/12 02:01, Andrew wrote: Hi Andrew Apache Linux server (Arvixe) I think that's a web hosting service no? PC running Windows 7 Ultimate with MS Office. Do you have a spare computer to install e.g. Linux? If you did, the chances are that samba would be installed by default. Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, steve st...@steve-ss.com wrote: [...] Hi It's working here with Version 4.0.0rc3-GIT-56ffe75 All we do to set up the roaming profile on Linux is to add the attribute: profilePath: \\server\profiles\steve2 to the user DN entry in LDAP. and whilst we're there we also map his windows home directory to his Linux home directory: homeDrive: Z: homeDirectory: \\server\home\steve2 Make sure that the profiles share is writeable by the users. We chmod 1777'd it. HTH Steve I've never looked at this and don't need it now, but I'm interested. How is this implemented on client? The above is what ADUC adds to the directory when you fill in the fields on the profile tab for a user. It's quicker to use a little script around samba-tool user add and add the attributes on the Linux AD machine rather than use ADUC. You just need ldbmodify and the (in this example) the [home] and [profiles] shares in smb.conf. Linux clients map whatever the [home] share points at to the unixHomeDirectory attribute. The latter can use either winbind or nslcd to pull the info from ldap. Let me know if you need any more detail. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Libreoffice and roaming profile log-off delay
On 05/10/12 17:57, Rowland Penny wrote: On 05/10/12 12:01, steve wrote: I can email you the instructions for XP if you are interested and point you to a website for W7, this is a bit different but works the same. Hi Rowland. That would be great. I'll start with the XP and see how it goes. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: Folder Redirection GPO not working with Windows 7
Hi I have folder redirection working fine in XP. I see that W7 has taken the same configuration as I made in XP. Here is a screenshot: http://dl.dropbox.com/u/45150875/gpo.png Unfortunately, on w7, whilst the roaming profile is correctly set, there is no folder redirection. Nothing appears in the \\hh1\USERS folder for the user who has logged in. Upon opening the GPO editor as Administrator in W7, I get an error message about AD and sysvol permissions: 'The permissions for this GPO in the SYSVOL folder are inconsistent with those in ctive Directory. (...) To change the SYSVOL permissions to those in Active Directory, click OK.' Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl sysvolreset and restarted the GPO editor. It then opened without the error:) The settings appear exactly as I set them on XP but are not honoured in W7. The share for the redirected folders says it's offline. There is an offline tab where the security tab normally is under the share properties. Relevant? Can anyone help me trace what's wrong? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 06/10/12 11:14, Michael Wood wrote: On 5 October 2012 17:36, steve st...@steve-ss.com wrote: On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, steve st...@steve-ss.com wrote: [...] [...] Linux clients map whatever the [home] share points at to the unixHomeDirectory attribute. The latter can use either winbind or nslcd to pull the info from ldap. Let me know if you need any more detail. That doesn't sound like a roaming profile at all. No it isn't. The bit before it was. I mentioned it as we set it at the same time as the profile path in the directory. That's all. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 06/10/12 11:32, Rowland Penny wrote: On 06/10/12 10:14, Michael Wood wrote: On 5 October 2012 17:36, stevest...@steve-ss.com wrote: On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, stevest...@steve-ss.com wrote: Is that possible on Linux clients? If so, how is it implemented? With csync as Denis asked? Hi, What you can do is use pam-mount to mount the users home directory from the server onto the Linux client, This is actually faster than roaming profiles as no data actually moves. Hi We use NFS4 to mount the samba share directories on the Linux clients. If you want, you could also mount the profiles share so that your users had access to whatever was on e.g. their windows desktop too. As we have more Linux clients than windows, I try to encourage users to store stuff in their home folder rather than in their windows profile. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 06/10/12 17:11, steve wrote: Hi I have folder redirection working fine in XP. I see that W7 has taken the same configuration as I made in XP. Here is a screenshot: http://dl.dropbox.com/u/45150875/gpo.png Unfortunately, on w7, whilst the roaming profile is correctly set, there is no folder redirection. Nothing appears in the \\hh1\USERS folder for the user who has logged in. Upon opening the GPO editor as Administrator in W7, I get an error message about AD and sysvol permissions: 'The permissions for this GPO in the SYSVOL folder are inconsistent with those in ctive Directory. (...) To change the SYSVOL permissions to those in Active Directory, click OK.' Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl sysvolreset and restarted the GPO editor. It then opened without the error:) The settings appear exactly as I set them on XP but are not honoured in W7. The share for the redirected folders says it's offline. There is an offline tab where the security tab normally is under the share properties. Relevant? Can anyone help me trace what's wrong? Cheers, Steve Further tests show using the windows 'set' command, that the policy is only being applied to Administrator. IOW, 'APPDATA' is being redirected to the server. Everyone else still has the local Roaming folder for appdata. I have run gpupdate /force but still no folder redirection for users. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 07/10/12 10:52, Andrew Bartlett wrote: On Sun, 2012-10-07 at 10:07 +0200, steve wrote: On 06/10/12 17:11, steve wrote: Hi I have folder redirection working fine in XP. I see that W7 has taken the same configuration as I made in XP. Here is a screenshot: http://dl.dropbox.com/u/45150875/gpo.png Unfortunately, on w7, whilst the roaming profile is correctly set, there is no folder redirection. Nothing appears in the \\hh1\USERS folder for the user who has logged in. Upon opening the GPO editor as Administrator in W7, I get an error message about AD and sysvol permissions: 'The permissions for this GPO in the SYSVOL folder are inconsistent with those in ctive Directory. (...) To change the SYSVOL permissions to those in Active Directory, click OK.' Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl sysvolreset and restarted the GPO editor. It then opened without the error:) The settings appear exactly as I set them on XP but are not honoured in W7. The share for the redirected folders says it's offline. There is an offline tab where the security tab normally is under the share properties. Relevant? Can anyone help me trace what's wrong? Cheers, Steve Further tests show using the windows 'set' command, that the policy is only being applied to Administrator. IOW, 'APPDATA' is being redirected to the server. Everyone else still has the local Roaming folder for appdata. I have run gpupdate /force but still no folder redirection for users. Thanks, Steve Look for file permission errors in the network trace when accessing the GPO. Andrew Bartlett Hi Andrew I did a wireshark of a user called steve2 logging on and off: http://dl.dropbox.com/u/45150875/logon The folder to which the gpo should redirect to, \\hh1\USERS, is mentioned only once, all the other SMB2 traces refer to the steve2.V2 profile folder. I have Application Data redirected to \\hh1\USERS 'set' shows APPDATA is still local to the client. The gpo works fine on XP but fails for all users other than Administrator on W7. 'set' for Administrator shows the redirection to the server share at \\hh1\USERS\Administrator\Application Data. For Administrator nothing is written to the share, but I think this is because Administrator does not have a uidNumber nor gidNumber. Any help most gretfuly received. Cheers, Steve This works fine on XP but fails on W7. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 07/10/12 12:58, steve wrote: On 07/10/12 10:52, Andrew Bartlett wrote: On Sun, 2012-10-07 at 10:07 +0200, steve wrote: On 06/10/12 17:11, steve wrote: Hi I have folder redirection working fine in XP. I see that W7 has taken the same configuration as I made in XP. Here is a screenshot: http://dl.dropbox.com/u/45150875/gpo.png Unfortunately, on w7, whilst the roaming profile is correctly set, there is no folder redirection. Nothing appears in the \\hh1\USERS folder for the user who has logged in. Upon opening the GPO editor as Administrator in W7, I get an error message about AD and sysvol permissions: 'The permissions for this GPO in the SYSVOL folder are inconsistent with those in ctive Directory. (...) To change the SYSVOL permissions to those in Active Directory, click OK.' Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl sysvolreset and restarted the GPO editor. It then opened without the error:) The settings appear exactly as I set them on XP but are not honoured in W7. The share for the redirected folders says it's offline. There is an offline tab where the security tab normally is under the share properties. Relevant? Can anyone help me trace what's wrong? Cheers, Steve Further tests show using the windows 'set' command, that the policy is only being applied to Administrator. IOW, 'APPDATA' is being redirected to the server. Everyone else still has the local Roaming folder for appdata. I have run gpupdate /force but still no folder redirection for users. Thanks, Steve Look for file permission errors in the network trace when accessing the GPO. Andrew Bartlett Hi Andrew I did a wireshark of a user called steve2 logging on and off: http://dl.dropbox.com/u/45150875/logon The folder to which the gpo should redirect to, \\hh1\USERS, is mentioned only once, all the other SMB2 traces refer to the steve2.V2 profile folder. I have Application Data redirected to \\hh1\USERS 'set' shows APPDATA is still local to the client. The gpo works fine on XP but fails for all users other than Administrator on W7. 'set' for Administrator shows the redirection to the server share at \\hh1\USERS\Administrator\Application Data. For Administrator nothing is written to the share, but I think this is because Administrator does not have a uidNumber nor gidNumber. Any help most gretfuly received. Cheers, Steve This works fine on XP but fails on W7. OK Getting a bit closer: The share \\hh1\USERS is not accessible by users, neither can I set the security on it as Administrator because the security tab has been replaced by 'offline files'. The underlying POSIX share is /home2/USERS and it is 0777, global RW. Summary: In W7, users cannot access the share. Question: how can I remove the offline files and get a security tab back? THanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 07/10/12 17:14, Rowland Penny wrote: On 07/10/12 16:02, steve wrote: On 07/10/12 12:58, steve wrote: On 07/10/12 10:52, Andrew Bartlett wrote: On Sun, 2012-10-07 at 10:07 +0200, steve wrote: On 06/10/12 17:11, steve wrote: Hi Steve, a quick google finds: http://www.sevenforums.com/tutorials/48829-offline-files-enable-disable-use.html Hi Rowland Thanks for that. I've now got a security tab back. But still no folder redirection:( Not given up yet. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 07/10/12 17:37, steve wrote: On 07/10/12 17:14, Rowland Penny wrote: On 07/10/12 16:02, steve wrote: On 07/10/12 12:58, steve wrote: On 07/10/12 10:52, Andrew Bartlett wrote: On Sun, 2012-10-07 at 10:07 +0200, steve wrote: On 06/10/12 17:11, steve wrote: Hi Steve, a quick google finds: http://www.sevenforums.com/tutorials/48829-offline-files-enable-disable-use.html Hi Rowland Thanks for that. I've now got a security tab back. But still no folder redirection:( Having the security tab back on \\hh1\USERS now gives everyone permission to enter and create files in the share and now Administrator has his Application Data redirected to the share. He has a file under \\hh1\USERS as per the GPO. However, ordinary users, whilst able to read and write the share do not have their Application Data redirected. Still works fine for all users with XP but not W7. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba